Privacy considerations on request_uri

[paulbastian]

In the current state, according to RFC9101, the Wallet must fetch the Request Object from request_uri without having any means to verify the identity and authenticity of the Verifier. The request for this object therefore may leak data to the Verifier without the User knowing that or giving consent.

Is this something that should be stated in a privacy consideration section?

[awoie]

There won't be a TLS connection if the server certificate of the request_uri endpoint is not trusted. There are out-of-band mechanism that would allow the wallet to trust the request_uri endpoint beforehand. E.g., a wallet might check if the FQDN of the request_uri endpoint matches a SAN of a certificate the wallet may trust and have obtained using client_id/client_id_scheme.

I guess it makes sense to add something to the privacy considerations section.

[jogu]

We could use similar text to the credential_offer_uri considerations in VCI: https://openid.github.io/OpenID4VCI/openid-4-verifiable-credential-issuance-wg-draft.html#name-identifying-the-wallet

Also we should have a privacy considerations section :-) ( https://github.com/openid/OpenID4VP/issues/24 )